Securing Systems with Users, Groups,
and Permissions146
To change the default values, we will edit /etc/login.defs. Let’s check the section for the most common changes:
# Password aging controls:## PASS_MAX_DAYS Maximum number of days a password maybe used.# PASS_MIN_DAYS Minimum number of days allowed between password changes.# PASS_MIN_LEN Minimum acceptable password length.# PASS_WARN_AGE Number of days warning given before ab bpassword expires.#PASS_MAX_DAYS 99999PASS_MIN_DAYS 0PASS_WARN_AGE 7Please take some minutes to review the options in /etc/login.defs.
Now, we could have a situation in which a user has left the company. How can we lock the account so the user cannot access the system The usermod
command has the L option, for
lock, to do so. Lets try it. First, let’s log into the system:
Figure 5.1 – The usertest user account logging into the system
Now, let’s lock the account:
[root@rhel-instance
]# usermod -L usertest[root@rhel-instance
]# grep usertest /etc/shadowusertest:!$6$4PEVPj7M4GD8CH.4$VqiYY.IXetwZA/g54bFP1ZJwQ/yc6bnaFauHGA 11eFzsGh/uFbJwxZCQTFHIASuamBz.27gb4ZpywwOA840eI.:18651:0:99999:7:3 :21915: Adjusting password policies147
Notice that there is a ! character added before the password hash. This is the mechanism used to lock it. Let’s try to login again:
Figure 5.2 – The usertest user account not being able to log into the system
The account can be unlocked by using the U option:
Share with your friends: 
